Azure Portal Configuration

Step 1: Configuring the Therefore Client connection.

The initial steps for making this possible take place within the Azure Portal:

1. Navigate to https://portal.azure.com (and login if required).
   
2. Select ‘Azure Active Directory’.
   
3. Select ‘App Registrations’ along the left side panel.
   
4. Select ‘New Registration’.
   
5. Populate the ‘Name’ field with ‘Therefore Client Login’.
   
6. Ensure ‘Accounts in this organisational directory only’ is selected.
   
7. Select ‘Register’ to confirm registration of the application.
   
8. Select ‘Authentication’ along the left side panel.
   
9. Select ‘Add a platform’, then ‘Web’.
   
10. Configure the Redirect URI as such:
    
1. https://<tenantname>.thereforeonline.com/Client/WEB/Login/SSOLogin.aspx
   
11. Tick ‘Access Tokens’ and ‘ID Tokens’ in the ‘Implicit Grant’ section.
    
12. Select ‘Add a platform’, then ‘Mobile and Desktop Applications’.
    
13. Tick ‘https://login.microsoftonline.com/common/oauth2/nativeclient’.
    
14. Select ‘Configure’ to confirm the new platform configuration.
    
15. Select ‘Manifest’ along the left side panel.
    
16. Change the allowPublicClient property from null to true.
    
17. Change the groupMembershipClaims property from null to “SecurityGroup”.
    
18. Select ‘Overview’ along the left side panel and make a note of the Application (client) ID (note this down as <Therefore Client ClientID>).

Step 2: Configuring the Therefore Server connection.

1. Navigate to https://portal.azure.com (and login if required).
   
2. Select ‘Azure Active Directory’.
   
3. Select ‘App Registrations’ along the left side panel.
   
4. Select ‘New Registration’.
   
5. Populate the ‘Name’ field with ‘Therefore Server Login’.
   
6. Ensure ‘Accounts in this organisational directory only’ is selected.
   
7. Select ‘Register’ to confirm registration of the application.
   
8. Select ‘API Permissions’ along the left side panel.
   
9. Select ‘Add a Permission’.
   
10. Select ‘Microsoft Graph’.
    
11. Select ‘Application Permissions’.
    
12. Search for and tick ‘Directory.Read.All’.
    
13. Select ‘Add Permissions’ to apply the change.
    
14. Select ‘Grant Admin Consent for <CustomerName>’, then ‘Yes’ in the appearing pop-up.
    
15. Select ‘Certificates & Secrets’ along the left side panel.
    
16. Select ‘New Client Secret’, and create it with an expiry of ‘Never’.
    
17. Make a note of the Client Secret (note this down as <Application Secret>).
    
18. Select ‘Overview’ along the left side panel and make a note of the Application (client) ID (note this down as <Therefore Server ClientID>).

Therefore Configuration

Step 1: Connecting Therefore to Azure AD.

The remaining steps take place within Therefore:

1. Open Therefore Solution Designer.
   
2. Expand the ‘Access’ and ‘Authentication’ nodes.
   
3. Double-click the ‘External User Directories’ node.
   
4. Drop-down the ‘Add’ button and select ‘Azure Active Directory’.
   
5. Fill in the following details and tick ‘Use a custom application’:
   
1. Therefore Client ID: <Therefore Client ClientID>
   
2. Logon Domain: <logondomain>
   
3. Additional Domains: <any other domains as necessary>
   
4. Azure Tenant Name: <azuretenant>.onmicrosoft.com
   
5. Application Client ID: <Therefore Server ClientID>
   
6. Application Secret: <Application Secret>
   
6. Select ‘OK’ once all previous details have been configured.
   
7. Login with the account which has administrative access to Azure AD.
   

Step 2 : Testing Access from Therefore Navigator.

1. Open Therefore Navigator.
   
2. Change the ‘Authentication Provider’ to ‘Azure Active Directory’.
   
3. Select ‘Update from Server’.
   
4. Select ‘OK’.
   

This should prompt for Office365 credentials and provide access to anyone within the Azure AD.